Academics and comms industry experts challenge UK government scientists on their defence of NHS contact-tracing app, in particular the issue of centralised data gathering

The UK government may have earned some plaudits for attempting to use a mobile contact-tracing app to aid the fight against Covid-19, but the controversy over its nature, in particular its centralised database, is rumbling on.

On 4 May, the government, backed by leading experts in the UK’s epidemiology, IT and communications sectors, released more information on how the app – the first details of which were announced on 24 April – would work in its first scale trial on the Isle of Wight.

Developed by NHSX, the NHS’s digital healthcare innovation unit, the contract-tracing app works by using Bluetooth to automate the “laborious” process of contact tracing and has the goal of reducing transmission of the virus by alerting people who may have been exposed, so they can take action to protect themselves.

Once installed, the app will start logging the distance between a user’s smartphone and other phones nearby that also have the app installed using Bluetooth Low Energy. The anonymous log of how close users are to others will be stored securely on the user’s phone. If a user becomes unwell with symptoms of Covid-19, they can allow the app to inform the NHS which, subject to sophisticated risk analysis, will trigger an anonymous alert to other app users with whom the user came into significant contact over the previous few days.

In particular, they noted that the approach would lead to a big data set, so that the NHS could draw in all the information it needed to refine risk assessment, especially with regard to relaxing social distancing rules.

But anyone thinking that such defence would end the debate was wrong. Almost immediately after the Isle of Wight launch, and in assessing where the biggest challenge for the app would come from, Muttukrishnan Rajarajan, director of City University of London’s institute for cyber security, said that although several decentralised approaches have already been successfully implemented across the world for Covid-19 tracing, the UK app’s fundamental architecture, in which all the data management is controlled centrally, was “an obvious privacy issue.”

“Any centralised system is more vulnerable to cyber attacks, especially if they hold sensitive data,” said Rajarajan. “The main problem here is because of the involvement of the NCSC [National Cyber Security Centre] to validate the framework. This means the general public are fearful that government will be tracking and tracing our movements and will record all our location data.”

Rajarajan said there were several privacy techniques that could be used to overcome these privacy challenges. He noted that techniques such as homomorphic encryption would allow the user to have total control of their personal data and that programmers could design schemes based on such security to carry out the computation in the encrypted domain, so there was no data leak to government or third parties.

Federal government launches Coronavirus Australia app to keep Australians updated on the latest developments in fight against coronavirus outbreak.

Digital economy security firm Approov said that from a privacy perspective, the UK app is actually an improvement on the approach adopted by Australia’s COVIDSafe app and Singapore’s TraceTogether app, from which the former is derived. These require a phone number during the signup process, so that contact tracers can get in contact if proximity to an infectious person is suspected.

However, in its analysis of the functional elements of the UK app, Approov said app users’ phones would be constantly open to transmitting identifiers, including an encrypted form of the app’s instance ID. It argued that anyone with access to the NHSX database, and thus the decryption key, would be able to know the instance ID of the device.

It pointed out that this also meant that even though the database does not contain the user’s identity, it would only take one event in the real world from, say, personal contact, a modified point-of-sale device or a face recognition system to associate the instance ID with the actual person’s identity.

Rajarajan said that as the app develops, there could be an interesting safety versus privacy trade-off, examining whether to compromise our safety over being over-cautious or even paranoid about privacy. “Once citizens feel the added benefits from the app to self-manage the Covid-19 situation and if they can be convinced that the data is never going to be stored beyond the current pandemic, I think we will all sign up to use this app,” he said.

“It will be a community-driven app. Early take-up may be slow, but once people see the added benefits and as we slowly move out of the lockdown phases, everyone will start to use this app to avoid a second peak of the virus. I think in situations like this, our safety will be our top priority.”

Content Continues Below

Download this free guide

Unified Communications: the key to prospering in the new working reality of Covid-19

The coronavirus is changing everything about how people work, and will do so permanently. It added that even though the working world was experiencing unprecedented uncertainty, there were two things that should be borne in mind: the virus will pass, and at the other side of the pandemic, the world of work will look very different.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.